CVE-2018-1002101

Name of the Vulnerable Software and Affected Versions Kubernetes versions 1.9.0 through 1.9.9 Kubernetes versions 1.10.0 through 1.10.5 Kubernetes versions 1.11.0 through 1.11.1

Description The issue is related to insecure handling of user input when setting up volume mounts on Windows nodes, which could lead to command line argument injection. This allows a remote attacker to execute arbitrary operating system commands. The vulnerability is associated with the failure to neutralize special elements used in operating system commands.

Recommendations For Kubernetes versions 1.9.0 through 1.9.9, update to a version outside of this range to mitigate the risk. For Kubernetes versions 1.10.0 through 1.10.5, update to a version outside of this range to mitigate the risk. For Kubernetes versions 1.11.0 through 1.11.1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting the setup of volume mounts on Windows nodes until a patch is available.